security+quality: TLS verification hardening, Dependabot, and CodeQL

[mkilijanek]

Summary

This PR cherry-picks three low-risk commits from my fork to improve security posture and maintenance hygiene in upstream:

1. b974ff1 (cherry-picked from 376168c): enforce certificate + hostname verification for upstream TLS client context.
2. fd51431 (cherry-picked from 9307fa2): add Dependabot configuration for Python, Docker, and GitHub Actions.
3. ab4ca43 (cherry-picked from 77f8c74): add advanced CodeQL workflow (security-and-quality) for Python.

Why these changes

• TLS hardening removes insecure defaults (CERT_NONE, disabled hostname checks) and switches to trusted CA verification.
• Dependabot reduces dependency drift and shortens exposure windows for known CVEs.
• CodeQL gives continuous static analysis for security/quality regressions.

Scope and risk

• Scope is intentionally narrow (1 runtime file + 2 GitHub config files).
• No feature behavior changes outside TLS validation correctness.
• CI configs are additive and do not alter release artifacts.

Validation

• python3 -m py_compile evilwaf.py core/*.py chemistry/*.py
• Cherry-picks were applied with -x to preserve provenance.

Follow-ups (optional, separate PRs)

• Add lightweight test workflow once upstream test baseline is finalized.
• Pin GitHub Action SHAs for stronger supply-chain hardening.

[mkilijanek]

Master merge plan for this upstream improvement batch:

1. Security baseline:

• security+quality: TLS verification hardening, Dependabot, and CodeQL #7

2. Runtime fixes/features (ordered dependencies):

• fix(core): add missing core.proxy_file module used by CLI #17 -> fix(core): honor tor rotation interval and override IP wiring #18 -> perf(origin): bound scanner concurrency and improve timeout control #19 -> refactor(core): extract RecordStore from interceptor #20 -> feat(core): add file-backed record spooling support #21 -> feat(records): add spool rotation/compression and history readback #22 -> feat(core): add runtime proxy metrics and accounting #23 -> perf: add benchmark harness, budgets, and retention guardrails #24 -> ci(perf): add primary CI workflow with smoke budget checks #25 -> chore(docker): bump base image to python:3.14-slim #26

3. Repo/process hygiene (can be merged after security+quality: TLS verification hardening, Dependabot, and CodeQL #7; mostly independent):

• chore(repo): ignore and remove Python bytecode artifacts #8, docs(security): add SECURITY.md vulnerability policy #9, ci: add minimal sanity workflow for syntax and CLI smoke checks #10, docs: add CONTRIBUTING.md with PR and validation checklist #11, chore(repo): add .editorconfig for consistent formatting #12, docs(issues): add structured bug report template #13, docs(pr): add PR template with risk and validation checklist #14, chore(repo): add .gitattributes for line ending and binary handling #15, fix(docker): add missing docker-entrypoint.sh and cleanup docker context #16

Suggested strategy:

• Merge security+quality: TLS verification hardening, Dependabot, and CodeQL #7 first.
• Then merge runtime chain in order (to minimize conflicts and regression risk).
• Merge docs/process PRs in parallel whenever convenient.

If useful, I can also rebase/refresh any PR in this set after upstream merges start landing.

[matrixleons]

Your changes in interceptor.py break
the core MITM proxy functionality.

Test result:
nikto -h https://testfire.net
-useproxy http://127.0.0.1:8080

ERROR: Proxy error: error reading
HTTP response

EvilWAF uses self-signed certificates
for MITM — enforcing strict TLS
verification breaks this completely.

[matrixleons]

Please rethink !👍